fc62a934f4b2217c9d0c316f4cfdfc6e0ac2f91e2f902fa189db6a610ed5e9d7

Analysis

max time kernel
172s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f0e4b9b57ad8754efe7cb70461790ef.exe
Size

104KB
MD5

4f0e4b9b57ad8754efe7cb70461790ef
SHA1

588b827dddab0dbdc2a29759dd981ea7d76df9f0
SHA256

fc62a934f4b2217c9d0c316f4cfdfc6e0ac2f91e2f902fa189db6a610ed5e9d7
SHA512

fe7d954b3146db2064d0cdcbc32009ef4673330f05e16e68eba85b2d1f558565b79e6c28e74d846913bf4267a7695e6f6198931134aacaa73d03731a7d141458
SSDEEP

3072:za8P462TmB/Ka3sXTDUENFFwmlm30xka5z5yC4QlSq1:za8P428XTYm0mlm34ll5N4OSq

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000600000001e71b-6.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	4f0e4b9b57ad8754efe7cb70461790ef.exe

Executes dropped EXE 3 IoCs

pid	Process
4540	svchos.exe
3360	svcpos.exe
3968	m1.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchos.exe	4f0e4b9b57ad8754efe7cb70461790ef.exe
File created	C:\Windows\svcpos.exe	4f0e4b9b57ad8754efe7cb70461790ef.exe
File opened for modification	C:\Windows\m1.exe	svchos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4540	svchos.exe
4540	svchos.exe
4540	svchos.exe
3968	m1.exe
3968	m1.exe
3968	m1.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 4540	808	4f0e4b9b57ad8754efe7cb70461790ef.exe	91
PID 808 wrote to memory of 4540	808	4f0e4b9b57ad8754efe7cb70461790ef.exe	91
PID 808 wrote to memory of 4540	808	4f0e4b9b57ad8754efe7cb70461790ef.exe	91
PID 808 wrote to memory of 3360	808	4f0e4b9b57ad8754efe7cb70461790ef.exe	93
PID 808 wrote to memory of 3360	808	4f0e4b9b57ad8754efe7cb70461790ef.exe	93
PID 808 wrote to memory of 3360	808	4f0e4b9b57ad8754efe7cb70461790ef.exe	93
PID 4540 wrote to memory of 3968	4540	svchos.exe	94
PID 4540 wrote to memory of 3968	4540	svchos.exe	94
PID 4540 wrote to memory of 3968	4540	svchos.exe	94

C:\Users\Admin\AppData\Local\Temp\4f0e4b9b57ad8754efe7cb70461790ef.exe
"C:\Users\Admin\AppData\Local\Temp\4f0e4b9b57ad8754efe7cb70461790ef.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\svchos.exe
  "C:\Windows\svchos.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\m1.exe
    m1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3968
- C:\Windows\svcpos.exe
  "C:\Windows\svcpos.exe"
  2⤵
  - Executes dropped EXE
  PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\m1.exe

Filesize
360KB

MD5
d62ca985a6fa6f78e8d673a0455667cf

SHA1
40723fad079f5748f786eb9d243566b91e0f41bf

SHA256
cad17d837a363cf76a842ec61b61177d84e2a865110c490c0f28124764aa6023

SHA512
53e34b2d55e0a59bf7b7194789a4b1747a237e5eb5e4f5fafda4985814e87afb64ce53a4112e7247cd7015fff5ac0ac220783cce66fa24972aad15457b0a3d01

Download Submit
C:\Windows\svchos.exe

Filesize
91KB

MD5
6701c68d6d21755130ec08f1d4a79b06

SHA1
32b33d6ccfa635ff5e6bbd7abd0f58790eff37f9

SHA256
768aad61382cc001b10992043820ac355c80ae6f903ee5d2e5343b00f89e7e9c

SHA512
9a2fd0b5df7e633d0fc955829ae50951ce6c74f5a27621b8d987b938e9183020a1c3ca917531a736ce9ea8cd94a283e13fcec16005cdec714cef1efea62ce822

Download Submit
C:\Windows\svcpos.exe

Filesize
10KB

MD5
3996f51fa1bb62848673b3f26ba75da0

SHA1
5bbfa7833fd4be2449245a39a267a5ab640d30dc

SHA256
1001dfde2088f1318edd5a62d5d48a52fdab5cdbfdd77ef3509054e9c714b337

SHA512
8d3801829548c25db72f477840bc2bdb5f6a656ca314ea6ed63a1284a6e03141cd4ef46d82f28c5db63289e429d705e56a1bfe0ee031df9dc7275ab8966a1c5e

Download Submit
memory/808-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/808-24-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3360-19-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3360-21-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3360-22-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3360-27-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4540-33-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download